Wow...I just went through this last week. Definitely didn't think they'd be dumb enough to encrypt the applet but not the chat traffic. But I was a little sketched out by the fact that you go through this entire official ordering process on their website through which you provide all your contact details, then some low-wage support guy in who-knows-where asks for your SSN. I refused to give it to him, which meant I had to put down a $100 deposit. On my credit card. Which I had to type into that unsecured chat box.
Maybe this is just a result of being in the military and having my SSN on 10 trillion documents in various insecure facilities around the world, but I would give out my SSN way before my CC number. Especially in a chat application.
Actually, you can change your SSN -- it's just very hard, requiring something like a risk of assault or proof of persistent misuse. Of course, even if approved, the discontinuity incurs many other inconveniences when seeking credit/employment/housing.
Interesting that the frontend is a Java applet but it's posting to an ASP/ASP.NET url. Two technologies that you don't usually see a development team combine.
Smells like a bunch of contractors plugging a few random components together to just-get-it-working?
Reminds me of a story I heard a while back of a store with a few locations but only one credit card terminal. In order to process credit cards as needed they just submitted credit card info by instant message to the store with the terminal where an employee would process and respond with a confirmation message.
As they say, it's Comcastic!